The National Institute of Standards and Technology (NIST) recently published a paper condemning paperless electronic voting machines as insecurable. I'll have to read the paper in-depth to see how they came to that strong of a conclusion, but I do know that there is no research showing that a purely electronic system can be completely trustworthy.

It's amazing how far this subject has come in just a few years, yet how far it still needs to go as evidenced by the irregularities in the recent 2006 midterm election.

I've been wondering this and noting that more and more products are coming wrapped in this stuff. I use a tchochke that I got from Tripwire that has a tiny corner of a razor blade on it to open these packages, but even then, the cut plastic package is sharper than the razor. I've cut myself on several occasions. The unusual shapes of the packages doesn't make it very easy to cleanly open either.

Mayid's call shortly after 4 a.m. sent four Polk County, Fla., deputies racing to the 2,150-acre lake just outside Lakeland, Fla., where they jumped into the water and wrenched Apgar's arm from the gator's mouth. The 45-year-old victim, who told authorities he'd passed out nude on the shore after smoking crack cocaine, was rushed to a hospital in critical condition.

Later Wednesday, state wildlife authorities trapped and killed a nearly 12-foot-long alligator thought to be the one that attacked Apgar......Sheriff's officials have said Apgar, 45, suffered a broken right arm.His left arm was nearly severed, and he had bites to his buttocks andleg. He underwent surgery Wednesday afternoon at Lakeland RegionalMedical Center

Friday, November 24, 2006

It's not really a typo but an intentionally left-out X separator foraesthetics on the sculpture that was intended to result in gibberishwhen decrypted that would clue in the decryptors to reinsert a separatorand try again, except it ended up spelling something intelligibleinstead of garbage so they thought they had decrypted it properly!

For nearly 16 years, puzzle enthusiasts have labored to decipher an 865-character coded message stenciled into a sculpture on the grounds of the Central Intelligence Agency's headquarters in Langley, Va. This week, the sculptor gave them an unsettling but hopeful surprise: part of the message they thought they had deciphered years ago actually says something else.

A study from a year ago but just as valid today. Actually, over the past year, IE got much worse. There were many exploits and unpatched holes in the browser.

One of the best things you can do for your Windows security is to make sure you upgrade to IE 7.x which has been redesigned to avoid many classes of attacks. It is being pushed out by Windows Update (or Microsoft Update) You can also switch to Firefox or Opera to get better security but please don't use IE 6.x or older anymore!

Unfortunately, you have to be on Windows XP SP2 or higher to use IE 7. So, it will force Windows 2000 users to upgrade to XP first. That is probably also a good thing for security though.

People sign up for a free, three-day trial of the company's software that allows them to download movie clips. After the three days, they are inundated with pop-up demands for payment, generated by software that has been placed on their computers without their knowing consent.

The pop-ups, which appear hourly or even more frequently, read "Click'Continue' to purchase your license and stop these reminders." Thepop-ups remain on the screen for 40 seconds and cannot be closed during that time. McKenna also said that computer owners are not obligated to honor contracts entered into by others using their computers.

Get this: The list of top terrorist targets from the Department of Homeland Security is seriously braindead. It includes 1,305 casinos, 234 restaurants, an ice cream parlor, a tackle shop, a flea market, and an Amish popcorn factory 3,650 sites total. What's going on? Pork-barrel politics is what's going on. We're never going to get security right if we continue to make it a parody of itself.

The worst part is that DHS didn't even try to hide the pork-barreling by making the inclusions and omissions clear and blatant. Oy. I reluctantly file this in the security category...

I've tried to highlight the absurdity of trying to protect every cranny of our country from al-Qaida attack. I've critiqued everything from the waste of buying anti-terrorist locks for Sammamish City Hall to the illogic of not having security cameras outside our airport. And yes, I've resorted to that columnist stock-in-trade: mocking and satirizing.

But it turns out nothing I can make up is as ludicrous as what the Department of Homeland Security is actually doing.

Here's a description of how to open a common Master brand lock in about 10 minutes. The design makes the 40^3 possible combinations collapse to 121. It's a physical metaphor for bad cryptography and reliance on obscurity.

I happen to have a lock that I forgot the combo to that this will definitely come in handy for...if I can only find the lock...

WASHINGTON, DC—In a carefully phrased, 128-bit encoded announcement that has challenged U.S. security agency procedures, top officials of the National Cryptography and Information Security Council warned that "FrpX-K5jE-Oc4n-e5Dn" if "Ha4d-87gH-uiH3-gB5r-g8Bh" late Monday.

So, there happen to be these unwritten rules of style that change all the time that nobody seems to tell you about and it's hard to ask and for many, harder to know you should ask. And there are people in the work world that do judge you by your appearance, for better or worse, consciously and unconsciously. Here is some advice that I have culled from significant others, from experience and observation in the workplace, from the advice in Esquire, and even from What Not to Wear on TLC.

No pleated pants

Get rid of your pleated pants in favor of flat-front pants. Flat-front pants are simpler, more modern looking, make you look slimmer, and not like an old man.

Clothes should look new and fresh

If your sweaters are pilled and your pants have wallet or knee wear marks, or the cuffs are frayed, it's time to get some new clothes. Buy something new and donate the old.

Get pants with the proper length

If you don't know your length, get measured or fitted in a store sometime. Your pants should "break" at the ankle and continue down slightly over your shoe. If you can see your socks when standing, your pants are too short!

Appropriate sock color

White socks are generally not going to work with any business casual attire, unless is Miami Vice white suit day, but even then you probably would be better going without socks...but I digress. The general rule with socks is they should not be noticeable! If your socks stand out, they are wrong for your outfit. I mostly wear neutral socks that match my pants to not draw attention to them. If you are wearing athletic socks with slacks you need to go to Costco and get some Gold Toe dress socks and save the nike socks for the gym.

Your shoes tell all

They say you can tell a man by his shoes--they make or break an outfit. You can be totally put together elsewhere but if your shoes are crap, it's game over. What do your shoes say about you? Are they tired, scuffed, worn and dirty or new, sleek, stylish and shiny? It sucks but you really should have several pairs of shoes so that you can rotate them. Avoid wearing one pair day-in and day-out so that they will last longer and look fresh when you do wear them. I've even bought two of the same less expensive pairs of shoes that I liked to keep them looking nicer longer. Oh, and invest in a shoe brush and some instant shine pads. Esquire recommends using black polish--even with brown shoes.

Wear the right size shirt

This is another one of those things you're never taught: how to know you have the right size shirt. Here's the best way to know: Where the sleeves attach to the main body of the shirt, it makes a line. That line should roughly be even with the very edge of your shoulder blade. More than a 1/4 inch past that and your shirt is probably too big. I often see this with people who wear golf shirts (even PGA pros are bad offenders. Tiger Woods does it right though). Another way to tell if your short-sleeve shirt is too big is if your sleeves extend far past your elbow. They should probably end short of your elbow if it is sized correctly. Having the right size shirt means a sharper, put-together look. Oversized shirts tend to look sloppy or overly-casual.

Dress for the position you want, not the one you have.

Hey, I've been there where I loved being able to wear jeans and a T shirt because, hey, nobody sees me in the server room. But, if you have higher aspirations or if you interface with business folks who tend to dress nicer than you, then your clothes can be a distraction from you and your message. If anything, your clothes should be neutral or enhance your message. Beware of some managers who get nervous if their underlings dress nicer than they do, but that isn't really your problem--it's theirs for not dressing to their level in the organization!

Skip ironing -- use the cleaners!

Nothing says sloppy like a button-down shirt that has not been ironed or is poorly ironed. The difference I found with people who truly look sharp is not just tailoring but well-maintained clothing. It is so cheap to have someone else iron your shirts and it looks 1000 times better than if you try to do it that it is well worth the investment. And you can usually get a couple of wears out of each shirt before it needs to be sent back for cleaning and ironing. I pay $0.99 / shirt. If you have nice pants, you can usually get away with ironing them yourself but professional pressing also looks a lot better and holds longer than home ironing.

Nice proof of concept code that can read passport data posted to BUGTRAQ. The "key" is comprised of data on the passport itself so you can remotely decrypt someone's data only if you know this information, or can brute-force it since it is a small keyspace:

The Passport number

The Date Of Birth of the holder

The Expiry Date of the Passport

The latest version of RFIDIOt, the open-source python library for RFIDexploration/manipulation, contains code that implements the ICAO 9303standard for Machine Readable Travel Documents in the form of a testprogram called 'mrpkey.py'.

This program will exchange crypto keys with the passport and read anddisplay the contents therein, including the facial image and thepersonal data printed in the passport.

Bruce Schneier advises US passport holders to renew your passport NOW before the RFID requirement goes into effect so you can avoid being tracked or hunted down in our country or a foreign country. Otherwise, how will you still be able to claim you're a Canadian in foreign countries?

James A. Donald had a great rant to the Anti-Fraud mailing list about how patents just don't work, at least for their intended purpose of furthering public knowledge.

The theoretical justification for patents has seldom worked in practice.Most patents are flagrantly bogus, always have been. Of the fewlegitimate patents, the vast majority merely obstruct the developmentand application of the technology, without in fact making money for theinventor. The normal outcome of patenting a genuine innovation is thatpeople construct second rate workarounds, as Microsoft just did. Thedestructive effect of patents is merely most visible in those fieldsthat are advancing most rapidly - cryptography being such a field.

These are the fatal flaws of patents--that they are often used these days to stifle competition or to patent ludicrous things like 1-click shopping or automatically launching active content in a webpage. The whole system needs to be revamped.

This is an article from a year ago that showed how each vendor was able to respond to key virus outbreaks. They also show the data from the previous year.

I personally recommend F-Secure's product. The base product gives you everything you need for anti-spyware and malware and is inexpensive. It is not a huge fat pig like some of the products out there (McAfee...) I've heard from others who enjoy Kapersky as well, so either of those would be good choices and happen to both top this list.

I also personally got rid of McAfee products after a multitude of issues:

1. The product is seriously bloated and the Security Center product seems geard toward selling other products by McAfee than providing normal users with value.2. Many of the products in the suite are not well integrated. They often had their own installers and were a real pain to uninstall.3. Lots of errors resulting in having to reinstall the product (without there being an easy way to do so).4. Their website security is horrendous. My wife forgot her password to their site so she used their "forgot my password" feature. Guess what? They emailed her, not a new random password, but her _actual password_ This from a security company! They either store passwords without encryption or store them with reversible encryption--both of which are seriously bad ideas and McAfee should know better.5. Their suite product line is very expensive and the price seems to go up every year. They have since reworked their product line and it seems to be better now.6. I read the F-Secure blog and can tell those guys really get security.7. McAfee was the company with the poor QA that removed critical Office files to "protect" you and also mislabeled a legitmate ISP software program8. McAfee products, like Symantec, have suffered from some local privilege escalation vulnerabilities or remote buffer overflows. The cure is worse than the disease?

5. Develop Reusable Security Architectures that cover common scenarios and include appropriate protection by design

Tools are sexy; secure design is hard. That's why you see so many tools and vendors hawking tools but not as much work. I hear from people all the time who talk about this tool or pen testing or scanning some server or how you need to hack your wireless network to be secure. That is a bunch of crap in general because trying to audit your way to security is bottom-up grass-roots and can only get you so far. It's an early maturity model to be spending so much time and energy on audits and pen tests instead of security design reviews and developing security architectures. It's a lot easier and sexier to say you hacked a wireless network. We need to get to where it is just as cool to say you developed a wireless network security architecture such that you don't care who is connected to the wireless network because your security is not so brittle as to lose sleep over it. Where are those reusable models made open source?

As for item #3, I don't think that I believe that there can be "quantitative" security risk management. The biggest problem is that there is not enough good data to base future risk upon (try this: how do you quantify risk of brand damage due to event X?).

Item #4 is very important and speaks to ensuring security systems are usable.

1. Eliminate epidemic-style attacks (viruses, worms, email spam) within 10 years; 2. Develop tools and principles that allow construction of large-scale systems for important societal applications -- such as medical records systems -- that are highly trustworthy despite being attractive targets; 3. Develop quantitative information-systems risk management to be at least as good as quantitative financial risk management within the next decade; 4. Give end-users security controls they can understand and privacy they can control for the dynamic, pervasive computing environments of the future.

This is a great article by Peter Gutmann and Ian Grigg on security usability that lists the six principles for a secure communications system put down by Auguste Kirchoffs ca. 1883. Even he understood the need for usability back then:

Given the circumstances that command its application, the system must be easy to use, requiring neither mental strain nor the knowledge of a long series of rules to observe.

It is essential that the human interface be designed for ease of use, so that users routinely and automatically apply the protection mechanisms correctly. Also, to the extent that the user's mental image of his protection goals matches the mechanisms he must use, mistakes will be minimized. If he must translate his image of his protection needs into a radically different specification language, he will make errors.

the office refused to grant exemptions that would benefit the general public -- space- and format-shifting, backing up your DVDs -- and they took back an earlier exemption that let people reverse-engineer the blacklists maintained by censorware companies to bring some transparency to their process.

Hey, I'm on a Linux computer and because they insist on requiring Flash to play the videos, the only way I can view them is to download them and watch them with Xine. I plan on violating their terms of service...to continue to access their service...

Summary: people link to bloggers that provide more original content than who just provide links to other places that do so.

Funny because I was just thinking about this regarding this blog. I think it's cool when people enjoy what I provide on this blog, but I really don't care if people read it or not. This is where I keep track of stories and topics that interest me, instead of saved emails or bookmarks that I never look at again. I can always go back and find what I found interesting and what I wrote about it. Pretty cool in my book.

My blog doesn't really have many that link to it and probably the fact that I post many links without a lot of commentary a lot of the time is a good reason why. But I disagree that nobody links to linkers. I personally like blogs because they act as filters or lenses that focus news and interesting content. There are tons of blogs but I like the ones whose mix of topics coincides most with what I'm interested in. Even if they just link to other places, that's fine with me. It's the filtering service that is the value-add, not necessarily original content.

That said, I have anecdotal evidence that my blog only gets noticed when I post original content. My recent entry about SOA security is a perfect example. I also was thinking about how I like the SANS newsbites because they actually summarize the stories they link to, not just provide links (on a related note, the links in Crypto-Gram require me to go read every story that sounds interesting so I generally read fewer of them).

This is great news. They did the same with other phones, including the e815 that I have. Fortunately, there are ways around this to re-enable the crippled features, but they are out of reach to most consumers. I had to buy a data cable and software on eBay to uncripple my phone.

Verizon has been getting weasely with some of its customers in California who bought its Motorola v710 Bluetooth-³capable² phone on or before January 31, 2005. Preliminary approval of the settlement was granted in a California court for a class-action suit against the company because it didn¹t accurately tell prospective customers that its Bluetooth features weren¹t what they appeared to be. Verizon said the phone ³works with a PC² but left out that part about how you can¹t wirelessly sync photos or contacts or any other files using Bluetooth.

It is hard to believe that such a blatant undervote error could be attributable solely to the DRE itself not properly recording them. But user interface designs can certainly be abused maliciously, or likely unintentionally, to create these situations. How ironic is it that the DREs that were touted to Help America Vote are actually helping them to undervote, due to poor design/implementation of the ballots?

This is a perfect example though of how using DREs to generate human-and-machine-readable reciepts (voter verifiable) could allow for voters to detect their undervotes before they drop them into the ballot box. There could even be very blatant warnings to the user on the receipt and on the screen that they didn't vote in X of the races to help prevent unintentional undervotes. Did these companies do any focus group testing of DREs?

Wednesday, November 22, 2006

I've been working on emergency preparedness for my neighborhood lately so this is very apropos.

BTW, I found a $79.99 Ready kit at Home Depot that is a pretty good deal for a 2-person 72 hour kit (what is recommended for personal preparedness at a minimum). Don't forget supplies for your pets too!

Good news about gift cards. I was just thinking the other day about these practices and it looks like, just in time for the holiday season, you can find out which ones have done away with those pesky expiration dates (are you listening Amazon?) and fees.

If you want a gift card you can use anywhere, you'll pay for the privilege, while gift cards from individual retailers are less costly and sprouting more options.

Those are the major findings of the third annual Bankrate.com Gift Card Study.

Retail store gift cards continue to be a consumer-friendly credit product, with fees and expiration dates the exception rather than the rule. The retailers can make a profit from the merchandise users buy.

Gift cards from the major credit card issuers, though, still carry an assortment of fees. All continue to charge monthly "maintenance" or "dormancy" fees, ranging from $2 per month to $3, if the gift card isn't used within a certain period of time. All but American Express have expiration dates.

Bankrate surveyed the top 25 retailers, as identified by the National Retail Federation, about the costs, terms and conditions of the gift cards they offer, both plastic and electronic. We also surveyed the four largest credit card companies: American Express, Discover Card, MasterCard and Visa.

Monday, November 20, 2006

I'm sick and tired of hearing about the false dichotomy of WS-Security versus SSL and why its performance is somehow going to be so much better than SSL transport encryption of SOAP-based web services. Pundits often point out that SSL has to encrypt the _whole payload_ while WS-Security can be used to digitally sign and/or encrypt only those attributes that absolutely need encrypting or signing.

This kind of reasoning is preposterous and is nowhere near being based on any facts or data, yet these talking points are ever-popular with the "SOA: the Armageddon is near" or WS-NotJustForBreakfastAnymore crowd.

For these people, I have one simple question for you about the assertion that WS-Security is always going to perform better in software than simply using SSL intelligently for the entire transport:

How is it that you can claim that WS-Security digital signature or encryption (with one _or more_ asymmetric plus 1 _or more_ symmetric crypto operation per request PLUS base64 encoding bloating the request PLUS extra SOAP XML tag hierarchies wrapping the encrypted/signed data section that need to be transferred over the network) is going to be faster in general than SSL (with one asymmetric crypto operation at session initiation, and henceforth 1 symmetric crypto operation per packet)?

It has often been vendors of XML firewalls and Microsoft web services evangelists that are the worst offenders. I'd love to hear some answers you get to this question. I haven't gotten a sensible one yet.Asymmetric crypto operations are roughly 1000 times slower than symmetric crypto operations. I would love to see actual hard data based on a valid underlying test scenario proving that WS-Security is faster than SSL even in the face of this reality. But nobody who makes these claims has it and I can't see it just based on the orders of magnitude difference between the computing time required for the crypto. That is even before you factor in the additional latency for transmitting the extra bytes for the WS-Security payload and the extra parsing time and the likely need to have to encrypt and decrypt multiple separate data elements individually.

Yes, in the purported SOAP-router kind of network where SOAP is treated as if it were a wire-level protocol there are problems with SSL since it is not end-to-end, but that is a red herring when we are debunking the claims of enhanced performance. Stop changing the subject! There can be a place for WS-Security in some advanced SOA scenarios, but strictly on performance, I can't see there being any comparison. And most people aren't implementing anything like the SOAP architects envisioned anyway (but don't let that stop the vendors from beating that drum). Most people are still using SOAP for point-to-point services which often replace other wire-transports or technologies (e.g. DCOM, CORBA, proprietary XML services, etc.)

Performance issues with SSL have generally nothing to do with the fact that you are encrypting an entire payload instead of just subsets of the data. For small messages that typical SOAP calls are, this is perhaps a few clock cycles per request. I can say from lots of experience with lots of development teams that at least 90% of the performance problems with SSL in general are due to seriously flawed implementations. The other 10% is generally actual performance impact because the systems on which it is running are vastly undersized because the system was not designed to be secure (but rather designed on the omission or hope that they wouldn't have to size it to handle the required security).

If you implement SSL to intelligently minimize the asymmetric crypto operations to the absolute minimum by pooling connections and pinning them up and using keepalives, then you are barely going to notice its impact, especially on properly-sized hardware or if you use hardware crypto accelerators. But if it is done incorrectly, or not accounted for in sizing, SSL will remain the whipping boy of many an environment.

Oh, and I have data showing how SSL can actually _speed up_ connections under certain conditions.

"You know," McCain said a few moments later, "you are really one of the more astonishing witnesses that I have [faced] -- in the 19 years I've been a member of this [Senate Commerce, Science and Transportation] Committee."

Lautenberger explained that his staff was working on "pieces" of the report, and conceded the November 2004 deadline had been a "difficult requirement to meet."

Who gets in is another matter. Among people who believe in heaven, one in four thinks access is limited to Christians. More than a third of Protestants feel that way, and this view peaks at 55 percent among Protestants who describe themselves as very religious.

Saturday, November 18, 2006

McCain once had words of praise for Senator Kerry, but he played the repugnican party line during the election and trashed him for his botched joke--acting as if he really believed Kerry, a decorated veteran, was actually disparaging the troops and not Bush. Politics is disgusting. McCain should take what Olbermann said about Rove and Bush to heart:

Matthew Shinnick dropped by a Bank of America branch in San Francisco to make sure a check he was about to deposit wasn't fraudulent. The teller found that the check was fraudulent and told the manager, who then had Shinnick thrown in jail. Are you getting this right? The customer who wanted to make sure he wasn't about to draw on a fraudulent check, got thrown in jail by Bank of America.

In response, customers have withdrawn or removed at least $50 million (at last count) from B of A in protest. See also Clark Howard's site, who gave this lots of attention in California on his radio show.

Monday, November 6, 2006

I was not feeling well but went to work anyway (I thought of resting up one more day and probably should have stayed in bed).

It was the first day back to work after being sick with fever for 3 days.

On my way to the bus stop, after only a 1/2 block from my house, my pants were soaked and shoes soaked through. The rain and wind has been insufferable this fall!I reluctantly went back home frustrated and not knowing if there was a way to possibly get to work but not be soaking wet all day. I decided the strategy would be sacrificial clothing. I geared up in my Costa Rica Rain forest gear (all drip-dry) and packed a new dry outfit to change into at work, including new shoes.

Well, the sack that I put my shoes in got a hole worn in it on the way to and from the bus. One shoe fell out on the sidewalk coming into my work building. Fortunately, someone saw it right away and alerted me.

When I went to put my shoes on, one shoe got laces worn in half from dragging behind my wheeled laptop bag.

Turns out my laptop bag was not waterproof so my dry pants got wet.

Turns out my brand new building downtown Seattle has no hand dryers in the new bathrooms! So, I couldn't quickly dry my new pants.

So, I was stuck with wearing my rain pants while I waited for my others to dry out.

But those pants were still damp enough that they got my chair wet. So I had to switch chairs for the day after putting my dry pants on to avoid getting those wet again.

Last Friday, Rep. Edward Markey (D-MA) called for the arrest of Christopher Soghoian, and the takedown of his "Boarding Pass Generator" website which illustrated an airline security hole documented on the web for several years. Hours after the congressman's statement, Soghoian says FBI agents visited his home, then returned a second time after he'd left -- in the middle of the night -- with a search warrant signed at 2AM, and seized Soghoian's computer(s) and other belongings.

Now, several days too late, Markey issues another pronouncement which backtracks on his earlier statement. It's 250 words, but they boil down to one: "oops."

Julie MacDonald, Deputy Assistant Secretary for Fish and Wildlife and Parks, has consistently "rejected staff scientists' recommendations to protect imperiled animals and plants under the Endangered Species Act." A civil engineer with no training in biology, she has overruled and disparaged the findings of her staff, instead relying on the recommendations of political and industry groups.

Especially heinous I think is the recent legislation McCain helped to broker that suspended habeus corpus for "enemy combatants", and allows torture, among other dreadful things. I used to like McCain, but now he's pimped himself out for too many political purposes I think.

In her latest column, posted online on October 29 and that will appear in the November 6 edition of U.S. News & World Report, U.S. News contributing editor and CBS News national political correspondent Gloria Borger asserted that "[n]o one would accuse [Sen. John] McCain [R-AZ] of equivocating on anything." Writing about the prospect of Sen. Barack Obama's (D-IL) running for president in 2008, Borger contrasted him with McCain, asserting that Obama's "penchant for wishy-washy is well documented." Yet as Media Matters for America has repeatedly noted, despite an abundance of well-documented backtracks, flip-flops, and inconsistencies, the media continue to describe McCain with words such as "honest" and "authentic" and generally regard him as an unwavering purveyor of "straight talk."

Monday, October 23, 2006

I have written about the utterly fictitious "ticking bomb" scenario on several occasions. Because I do not want to engage in this exercise ever again, I have assembled here the major relevant arguments, so that they will all be in one place.

Monday, October 9, 2006

The story of how Microsoft has ended up with so many unconnected and uncoordinated versions of command-line tools to manage setting and displaying ACL (Access Control List) entries is funny enough, but wait until you hear about my experience trying to report a bug in the tool. First, on the sordid history that has lead to three versions of the same tool, instead of one version that actually works correctly and handles all situations. There was first cacls.exe, which shipped with windows AFAIK. That was missing some key features so in all their wisdom, Microsoft released xcacls.exe in a resource kit that made up for the shortcomings in cacls.

So, I found a small bug in Microsoft's

I called Microsoft to find out how I could report the bug in XCACLS.vbs and after voice jail and being put through the regular support cruft they said that the only way to report bugs is by US Mail! They don't have any email address or way to report them via their support line. I told them to forget it. I'd just post something on my blog so that someone having the same problem can find it via google (and that then maybe Microsoft might google it someday so they can fix the problem).

Another funny observation I had was about ING's anti-phishing securitymechanisms and usability. They make you use an annoying, long numeric IDas your login ID (you can't change it to an easily-rememberable one) whichyou can't likely remember so you have to write it down or use PasswordSafe to recall it. By making account IDs a secret, they are hoping to buyadditional security from the obscurity.

However, they recently added a feature on the site (likely because of theusability problems with people not knowing or remembering their login ID)where you can enter some static identifying information (SSN, zip code,birthdate) and they will then pre-populate your customer login ID. I usethis often because although you have to type in more information, theusability is better because it is faster to do this than to look up whatmy login ID is. But, they have now created a great target for phishersthat can undo all the benefits of the hidden login ID and the additionalmeasures on the site because this feature is not protected with theirRSA/Cyota eStamp as their login dialog is.

Saturday, October 7, 2006

I just heard Limbaugh today repeating the crap talking point about the Foley issue being about the existence of a "gay" republican. That is bullshit. This is about exploitation and preying on innocent children. Wanker.

An excellent paper summarizing many of the problems with certifiers such as TRUSTe as well as showing that sites that get these certifications to prove their trustworthiness are actually more likely to NOT be trustworthy!

I know companies who are simply concerned about wanting customers to _think_ that their site was secure that they worked on getting a certification instead of investing in actually _making_ their site secure. No corrective action was taken to align technology or processes to the spirit or letter of the "certification". The same crummy procedures and mindsets that existed before the certification were there after the certification.

I have actually helped fill out the TRUST-e questionnaire the difficulty in answering their survey questions with 100% knowledge of everything that goes on in a company even though it tends to certify the site.

I just came across this site. Seems like a fun idea. You can add your own thing that "you want to do with your life" or see what other people said and use those ideas. You can track your progress. Larger fonts indicate more popular topics in the list. There are thousands of people from around the world on there. It also shows "People doing this are also doing these things", which is interesting as well.

Monday, September 25, 2006

if I were a terrorist, don’t you think that I could figure out how to take the top off a bottle of contact lens solution and put my explosive liquids in there? It is totally pointless to enforce rules which impose costs on innocent people, but are easily circumvented by terrorists. Can anyone think this is accomplishing anything productive?

This was a long-overdue smackdown by Clinton after being sandbagged on Fox. They forced YouTube to take down the video clip--trying to rewrite history. Stephanie Miller played the audio this morning--are they going to go after her too? Oh no, people will know that Fox is slanted to the right and giving people on the right a pass!

Monday, September 18, 2006

take some time, come up with a couple of sharp arguments, and spread those arguments among the people. We can complain about how well or how poorly legislators defend the Constitution. However, ultimately, it is our job to defend the Constitution, and this is one of the greatest assaults the Constitution has ever been subjected to.

Do you care enough to help defend it?

It sickens me to hear people like Pat Robertson on McLaughlin group making these claims as if we know that the captured people are 100% guilty. We often don't really know that, as evidenced by the many, many people we have captured, held, then let go free. We are considered innocent until proven guilty in this country to protect the innocent -- and that is you and me -- from unfounded abuse. Give that up and you or your family could be next. All it would take is for one of those in custody we are "coercively interrogating" (read: Jack Bauer tactics) to name you or your family. Then you could be sitting right next to them.

There are laws that prevent some businesses from being open on Sundays??? I thought it was "christian" pandering by businesses. It is really annoying that so many businesses are closed Sundays and if the government is the reason why, then that is appalling.

Sunday, September 17, 2006

This is great. People tend to make decisions using the emotional, fear-driven parts of their brain. Even in the face of raw data about risks it is very hard for people to feel comfortable turning away from those hard-wired instincts for self-preservation and making decisions that conflict with those feelings. A look at this chart shows how irrational spending and decisions are in this country. And how trading security for a little perceived freedom is a bad tradeoff--especially when you are far more at risk from plenty of other factors. The incidence of government taking advantage of its citizenry is likely to be higher than terrorist attacks against America.

Unfortunately, politicians rely on the masses making poor choices on inaccurate or flawed data to keep them in power. Think about that when you vote this November. Those who want you to stay afraid are themselves afraid.

Thursday, September 14, 2006

Researchers at Princeton, including Ed Felton, have been able to implant malicious code on Diebold touch screen voting machines that was demonstrated to be able to flip election results. They have a video of them doing this as well.

The company response is typically clueless (as is their security). I wonder if the nice Diebold ATMs in use at banks such as USBank are anywhere near as vulnerable?

I saw this first on The Daily Show. I can't believe this hasn't gotten more press despite the large percentage of the country who have been made to accept the opposite as true because of the lapdog press and liars in this administration.

the second 9/11 is the political prop — a mangled, grotesque doppelganger of the first one that has been whored out on the political street for over four years now. The second 9/11 is the source of policies that have made the world far worse, and have killed many times the number of people who died in the Towers. And so, what’s truly tragic about the second 9/11 is that it threatens to forever stain the legacy of the first 9/11

Indeed. How hard was it to find a radio/TV station that wasn't pushing 9/11 in your face? Who wants to hear another fearmongering speech by W? Not I.

Saturday, September 9, 2006

ABC and Disney, for starters, still plan to broadcast an account of the events leading up to the September 11, 2001, terrorist attacks that they know to be false.

This despite Disney's 2004 refusal to distribute Fahrenheit 9/11, which was highly critical of President Bush, even though it was produced by a Disney subsidiary, Miramax Films. Then-Disney CEO Michael Eisner explained that the company "did not want a film in the middle of the political process where we're such a nonpartisan company and our guests, that participate in all of our attractions, do not look for us to take sides."

Thursday, August 10, 2006

I'm so tired of seeing privacy officers and council members who are lawyers first. They may understand the law, but they often don't understand privacy. And lawyers tend to not consider risks outside of the legal/liability context. I've experienced privacy lawyers say that it was okay to not encrypt data anywhere internally because we only said "via our website" in our privacy policy. That may be true in a strict legal sense, but from an overall customer privacy and privacy threat model perspective, it doesn't adequately ensure either adequate protection for customer privacy (the intent of the policy and assurances to customers) nor does it ensure an adequate privacy environment or mindset in a company (which itself often leads to more lax treatment of sensitive information and therefore breaches).

A good analysis of why the threat model of materials in checked luggage may be sufficiently different than carry-on that would need to hold for the new security measures to make sense.

I'm not sure I agree with Bruce Schneier's assessment that, "Given how little we know of the extent of the plot, these don't seem like rediculous [sic] short-term measures." I don't agree with this because if it is too risky to bring these kinds of materials onboard today, then why would it ever be okay to allow them tomorrow? It's kind of like the precautionary disconnect from the Internet, "Why, why, why do they let employees use the Internet at all if they occasionally stop trusting its safety? Threats don't magically shrink just because you updated the antivirus package." It doesn't make much sense occassionally stop trusting liquids/gels on airplanes, They are either a threat (someone can always masquerade a bomb as benign liquid at anytime and can always disguise a detonator as anything--imagine if terrorists use cellphones instead of keyfobs for a detonaor--the public reaction to banning cellphones in carry-on would be huge) or they aren't. I agree that there is a heightened threat right now, but that threat has been and will be nonzero, so when will it be "safe" to allow them back on board and what criteria would determine this?

The other danger of taking such drastic measures is that the terrorists could be counting on that. Terrorists can just change tactics while the TSA is busy keeping someone's Frappuccino off the plane but allowing supposed breastmilk and liquid prescription drugs. As if the terrorists wouldn't have anticipated that loophole.

I wish I wasn't flying in a couple of days--not because I'm afraid of the possibility of a terrorist on board my plane, but because it's going to be a nightmare to go through security. And now I have to rethink everything I was planning to bring on board.

Tuesday, August 8, 2006

Great treatise on how the inability for people to properly reason (I called it Illogicacy here after Innumeracy) leads them to make terrible mistakes that result in harm to others, often worse than those that society often feels harm society most.

This blog is really, really excellent, BTW. Really makes you think. Sometimes just think that you would have never come up with that or could never have expressed that so logically and eloquently.

A water desalination system using carbon nanotube-based membranes could significantly reduce the cost of purifying water from the ocean. The technology could potentially provide a solution to water shortages both in the United States, where populations are expected to soar in areas with few freshwater sources, and worldwide, where a lack of clean water is a major cause of disease.

Monday, July 31, 2006

“This may be the worst security flaw we have seen in touch screen voting machines,” says Open Voting Foundation president, Alan Dechert. Upon examining the inner workings of one of the most popular paperless touch screen voting machines used in public elections in the United States, it has been determined that with the flip of a single switch inside, the machine can behave in a completely different manner compared to the tested and certified version.

Makes you wonder how secure those ATMs made by Diebold are (USBank uses them I know).

Saturday, July 29, 2006

You know, there was a time when I thought McCain was a straight-shooter. Now, he's no different than any other politician it seems. Will someone in politics ever be able to maintain rational, principled stands on something?? They are few and far between.

Just found out about an informal security group that meets in Seattle. I've often seen a need for interaction with security professionals between Agora and ISSA monthly meetings (and I'm on the ISSA Puget Sound board). Where organizations don't meet needs, they often spring up on their own. Once my dance lessons are over at Century Ballroom, I'll be able to attend these on Wednesdays.

Why

Agora and ISSA are too formal. This is just a chance to hang out with local security professionals and get to know each other.

"Europe should not follow the reactionary lead of President Bush, who recently vetoed a bill passed by Congress and supported by a majority of the American people that would have allowed federal funding for stem cell research," he said in a statement to The Independent. "Stem cell research is the key to developing cures for degenerative conditions like Parkinson's and motor neurone disease from which I and many others suffer," he said.

And more idiot liars in the White House repeating the same non-reality-based crap:

Thursday, July 20, 2006

Here is why Bush's position is a joke: Thousands and thousands of embryos are destroyed every year in fertility clinics. They are created in petri dishes as part of fertility treatments like IVF; then they are discarded.

This made me wonder if the bible mentions anything about dinosaurs. If it doesn't, does that mean they never existed (for those inclined to believe that everything about the world can be derived from the bible)?

That messy 2000 election was supposed to be the jolt America needed. After chronic flaws in the country's voting process became painfully public, an ambitious reform effort was supposed to make hanging chads and butterfly ballots relics of election nightmares gone by.

But nearly six years later, it hasn't turned out that way. In the state of Washington, the 2004 governor's election took more than six months to resolve--again before a court. And some liberal activists still believe that vote tampering and dirty tricks handed Ohio to the GOP, enabling President Bush to win re-election. Now, heading into the midterm congressional elections, despite the expenditure of billions of dollars, a litany of problems remains.

Also, several good links via SANS NewsBites Vol. 8 Num. 53:

--Study Finds Popular eVoting Machines Susceptible to Fraud(27 June 2006)A Brennan Center for Justice study of electronic voting machines concluded that the three most widely used voting machines are vulnerable to fraud, but there are measures that can be taken in all three cases to boost their integrity. Roughly 80 percent of American voters are expected to use electronic voting machines in elections this November.Representative Rush Holt (D-N.J.) has introduced a bill that would require all voting machines to provide a verifiable paper audit trail.http://news.com.com/2102-7348_3-6088464.html?tag=st.util.print[Editor's Note (Schultz): The fact that a verifiable paper trail is being proposed is in and of itself an extremely positive step forward as far as fairness in electronic voting goes.(Pescatore): I think we are past the point where any rational person believes that most current voting machines are safe enough. The first generation of ATM machines weren't secure enough either - the real issue is making sure the current problems are bounded and managed, and that the next generation of voting machines make big leaps forward.(HONAN): The Irish Commission on Electronic Voting recently published their report highlighting serious concerns with the software used in the electronic voting machines purchased by the Irish Government.http://www.cev.ie/htm/report/download_second.htmhttp://www.unison.ie/irish_independent/stories.php3?ca=9&si=1646254&issue_id=14303http://www.examiner.ie/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=7621-qqqx=1.asp]

SSL-authenticated login pages certainly doesn't _solve_ the phishing problem since phishing is partly psychological/sociological and makes use of technology as a means of improving the odds of the hacking the human psyche. So, a purely technological fix is unlikely to, prima facia, address the root issues.

But, the SSL change can help in a couple of key ways:

Rather than give customers 0 tools to protect themselves, we can give them at least the best tool out there so far for authenticating our site and therefore make an informed decision.

. Rather than continuing to train users to "trust page contents" (i.e. the lock image and our feeble assurances in the "Why this is secure" page), we can retrain them to use reliable measures that are not as subject to spoofing.

That is not to say that SSL does not have its problems:

Who made the trust decision to put the 50-100 CA certs in the browser? Why should the user trust those introducers? How do we know that those issuers won't screw up (like Equifax/GeoTrust did recently by issuing a domain-verified cert automatically that was very similar to a real bank: http://jordy.gundy.org/?p=49)

The UI is horrible for security. The lock is too small, it is too easy for the "simon says" problem to bite you since you don't notice when it isn't there. Some changes, such as changing the browser toolbar color based on the encryption will help, but Firefox and IE7 use different color schemes for the same semantics...

There are usability issues with the UI. Everybody (even me) turns off the warning dialogs about submitting unencrypted form posts. That kind of annoy-user-into-submission security fails the psychological acceptability test and it doesn't work anyhow because you should generally protect the user where it counts, not warn and hope they do the right thing.

The phishing problem is one of Identity Continuity. It's not important that an SSL certificate matches the domain, since that does not help during the initial introduction to a site. What you really should be protecting the users from is when a known relationship in the digital sense has a discontinuity. That signals a phishing attack. The analogy is SSH known_hosts. On the initial introduction, you choose to trust the server since the likelihood that you are being MITM attacked is infinitesimal. But, if you are MITM attacked, SSH will scream loudly and not let you connect. That is what the browsers should do, although clean up the UI a bit for the unwashed masses. The MITM issue is one of a discontinuity. So, SSL in the current sense solves the wrong problem because the browsers have no means of managing site continuity information. They should. Some schemes, such as trustbar and petnames, allow friendly site logos or names to help users detect continuity problems, but their UIs are too easy to ignore if there is a problem. The user should actually be stopped from proceeding.

If that doesn't sound impressive to you, note that it tops the all-time Florida State University leg press record by 665 lbs, set by a guy whose eye capillaries burst during the effort. http://www.sportsline.com/spin/story/9454343

legal or not, this sort of spying program probably isn't worth infringing our civil liberties for — because it's very unlikely that the type of information one can glean from it will help us win the war on terrorism.

Interesting mathematical analysis of how effective the NSA domestic call-tracking spy program could possibly be.

Their article is eerily similar to my Ajax presentation from February(particularly if you've seen me give the presentation), and even moresimilar to the draft Ajax chapter I wrote shortly after for the OWASPGuide (now posted to our Wiki - http://www.owasp.org/index.php/Ajax_and_Other_%22Rich%22_Interface_Technologies). Hmmmm. As the sayinggoes, this is the best form of flattery. I suppose.

If you haven't had a chance to read up on Ajax security, their articleis a start... as is my presentation (http://www.greebo.net/?page_id=329) and the draft chapter in the OWASP Guide 3.0 current.

thanks,Andrew

Begin forwarded message:

> > Ajax security basics> > By Jaswinder S. Hayre, and Jayasankar Kelath> > 2006-06-19> >> > The purpose of this article is to introduce some of the security> > implications with modern Ajax web technologies. Though Ajax> > applications can be more difficult to test, security professionals> > already have most of relevant approaches and tools needed.> >> > http://www.securityfocus.com/infocus/1868

OWASP is pleased to announce the immediate availability of the OWASP PHPTop 5. The OWASP Top 5 is an education piece which provides up to dateadvice to PHP developers, hosters, and other PHP users. The PHP Top 5 isproduced by the OWASP PHP Project.

The PHP Top 5 is based upon attack frequency in 2005 as reported toBugtraq. This information is a valuable insight into the mostdevastating attacks against the world's most popular web applicationframework.

In 2005, OWASP collaborated with SANS to research and write a completelynew PHP section for their successful SANS Top 20 2005. The OWASP PHP Top5 is the full unabridged text, updated to reflect recent XSS attacks andSQL injection vectors.

"The going rate for downloading songs from online music services like Apple's (AAPL) iTunes Music Store, MusicNet, Pressplay, and Rhapsody is about $1 a pop. Yet the economics of recorded music sales haven't changed much since the vinyl era -- despite the fact that digital files cost very little to produce and distribute. So how much of your buck makes its way back to the artists? Not much, though it's clearly a better deal than they get from piracy. "

The Bush administration has been dealt a setback in its campaign toallow prayer in our public schools. The full 9th Circuit U.S. Courtof Appeals has voted 15-9 to back the 2-1 vote by its earlier panelfinding the Pledge of Allegiance unconstitutional because of thewords ''under God.''

The 9th Circuit seems to agree. Our Constitution protects the freedom of us all, Jew, Christian, atheist, Muslim, Buddhist or agnostic to pray or keep silent, worship or not, believe or disbelieve. Standing outside the classroom door to avoid participating is exclusionary, especially for children.

At my school in the 1960s, one student couldn't pledge allegiance to the flag because her family was Jehovah's Witness. Being children, we thought she was weird. She even seemed less American. She was just a little girl.

But what if the same secret technology, called global positioning satellite tracking, could track anyone at any time?

The Washington Supreme Court will decide soon whether police agencies throughout the state may use the device freely -- without a warrant. The Jackson case is the first in the state dealing with the issue.

OLYMPIA, WA - The American Civil Liberties Union of Washington today hailed a unanimous, first-in-the-nation ruling by the Washington Supreme Court that police must obtain a warrant in order to track an individual's movements with Global Positioning Systems (GPS). The ruling agrees with arguments the ACLU submitted in a friend-of-the-court brief in the case.

"The ACLU applauds the court's ruling in this landmark case. Tracking a person's movements by GPS is highly intrusive. It is the equivalent of placing an invisible police officer in the back seat of a person's car," said ACLU of Washington Privacy Project Director Doug Klunder, who wrote the ACLU's brief.

>I've been working on the issue of how to build secure public networks>for about 7 years. I started out as a military analyst and I wanted to>put the cyber terror/cyber war issue in a larger strategic context.>About a year ago, I started looking for examples of cyber-terrorism,>where hackers had shut down critical infrastuctures. I was surprised to>discover that I couldn't find any, so I began to look more closely at>the hypothetical scenarios involving cyber war. Most of them turned out>to be implausible from a military or national security perspective.>Hence the report.